Better information sharing is the future of security, experts say

After having founded a software security company, selling it to HP and then working for them, Roger Thornton gained valuable insight into the evolving IT security threat landscape. So, naturally, he left HP and took on a new role in an entirely different sector, where he is taking part in an initiative that aims to bring the security community to new levels of information sharing.

Thornton is three months into his new position as CTO of AlienVault, which is known for its OSSIM (Open Source Security Information Management) tool, and more recently launched its Open Threat Exchange, a free security threat intelligence feed.

While AlienVault does offer a paid version of the Open Threat Exchange, or OTX, the company has made it free for organizations that connect to its network and submit their security data for analysis. AlienVault's research team uses a handful of threat monitoring tools, including vulnerability scanning and wireless intrusion detection, to aggregate its customers' network security standards. That data is then made anonymous by a set of researchers, who then anonymously submit the pertinent threat data to customers looking to gauge the potential for similar threats on their own networks.

Two emerging trends serve as the impetus behind the OTX. The first is the current reluctance to report security threat information among enterprises out of fear of giving competitors an advantage or suffering a public relations disaster. As Thornton put it, the OTX is "built like security guys would build it," because "there is no way, even if you broke into our systems, that you'd be able to track this information back to a specific customer instance."

The second trend that helped spawn the idea for the OTX is that of security threat information sharing, which Thornton has seen quite often among large enterprises that are unwilling to share with the rest of the community.

"One of the things I learned at HP and Fortify is that my very biggest customers, and we had back then every big bank and all the government guys, they do share threat information with each other. But it's very tight, little private networks," Thornton says.

Having seen "a lot of value from that sharing," Thornton took interest in AlienVault's crowd-sourced approach to threat intelligence for organizations that lack the resources of these larger banks and government institutions.

"We've got no beef with the security rich," Thornton says. "We just want to make sure everyone else has what they have."

Even in its earliest stages, AlienVault's OTX is being welcomed by the security community. Wolfgang Kandek, CTO of Qualys, says the OTX will be "tremendously helpful" to security professionals, for both its anonymous nature and the ability to gain visibility over an entire network of users.

"I honestly don't believe any companies are big enough to see everything and to have 100% valid information," Kandek says. "That's why I think the future is in information sharing."

The idea of sharing security threat information has been widely discussed lately, with even Microsoft announcing plans to establish its own threat intelligence feed for the global research data it collects on malware and botnets. A lingering question behind this increasingly popular approach is whether it will help the security industry transition from its reactive nature, in which vulnerabilities are patched only after they're exploited, to a proactive community that closes gaps before damage is incurred.

Paul Henry, security and forensic analyst at Lumension, praised Microsoft's threat intelligence feed as a tool that will stem the bleeding from attacks that have already occurred, but doubted its potential as a defensive measure.

"I don't see a decrease in threats, but I do see this limiting the possible damage from a given threat as the community will be able to respond faster," Henry says.

Proactive security is an idea Thornton has wrestled with over the course of his career. By now, after having worked with HP, he doesn't believe proactive security will be possible until major manufacturers can ship products that are assured to be 100% secure. Until then, customers will continue to purchase software products, then purchase additional security controls to protect them, and continue to patch the additional threats that get exposed down the line, Thornton says.

"We're buying stuff that's vulnerable. We're living in buildings that are prone to burning to the ground," Thornton says. "I'm a big believer that being proactive in security goes way back to the manufacturers and the system integrators and even the end users who build their own stuff. There's this proactive element of security that's missing. But I can tell you, probably with as much expertise as anybody, it's going to be a long time before security is proactively resolved."

Kandek believes a significant cause of this reactive nature is the competitive landscape of security software vendors. Because software vendors see information about a security threat as a competitive advantage, they are less likely to share it with anyone who might publicize it, including those who might be able to help resolve it, Kandek says.

Rather than take this approach, Thornton believes the visibility of a threat intelligence feed will bring the security industry as close to a proactive state as it's going to get.

"What we do in the broad sense is visibility," Thornton says. "Visibility is going to catch some things before they happen and some things after they happen, but without visibility, you have no idea these things are happening at all."

Recent research indicates that these kinds of capabilities are quickly becoming a necessity for organizations that have little insight into their current security vulnerabilities. In a study conducted by CompTIA, 83% of 500 responding U.S. executives acknowledged that the threat level is on the rise, while just 20% admitted their company was subjected to data loss in the past year.

That's a trend that Seth Robinson, director of technology analysis at CompTIA, says can be attributed to "a lack of the oversight capability and the management capabilities of security tools."

Copyright 2017 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.